Summary: | www-servers/lighttpd: script exposure | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Boris <1723542c42148b2fe4af9f7ad1e382b30d4b7fd7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://article.gmane.org/gmane.comp.web.lighttpd/1171 | ||
Whiteboard: | B3 [glsa] koon | ||
Package list: | Runtime testing required: | --- |
Description
Boris
2005-02-12 12:40:22 UTC
Sorry, there is one thing I forgot to mention: The license of the lighttpd-package has changed from QPL-1.0 to a BSD-style-Licence with version 1.3.5. This change should be reflected when bumping to a current version. web-apps please bump. http://www.lighttpd.net/news/ I actually have a 1.3.10 ebuild I've been working on; I just need to integrate the spawn-fcgi init/conf scripts into lighttpd as it is now a part of lighttpd. I'll see if I cannot get this finished today. Have a look at 76575 - here I changed some things like that for 1.3.7 argh, sorry, that's the comment I meant: http://bugs.gentoo.org/show_bug.cgi?id=76575#c4 Committed. Sorry for not getting this done as soon as I said I would. Thx Aaron. This one is ready for GLSA. Security please vote. I tend to vote YES on this one. Voting yes too. I'm testing at the moment, some things I noticed in http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/www-servers/lighttpd/lighttpd-1.3.10.ebuild?rev=1.1&content-type=text/plain - a lighttpd user & group is created, but I cannot find where they are put into lighttpd.conf, to replace the following lines : #server.username = "wwwrun" #server.groupname = "wwwrun" (replace "wwwrun" with "lighttpd" and remove #) In my ebuild I used the following lines to do this: sed -i -e 's:^#server.username.*:server.username = "lighttpd":1' ${D}/etc/lighttpd.conf sed -i -e 's:^#server.groupname.*:server.groupname = "lighttpd":1' ${D}/etc/lighttpd.conf But that's not nice, I think the better way would be to use lighttpd-1.1.8-gentoo.diff, perhaps change it to lighttpd-1.3.10-gentoo.diff (${P}-gentoo.diff). an issue with: http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/www-servers/lighttpd/files/lighttpd-1.3.10-php.diff?rev=1.1&content-type=text/plain in the following diff diff -urN lighttpd-1.3.10.orig/doc/lighttpd.1 lighttpd-1.3.10/doc/lighttpd.1 -/etc/lighttpd/lighttpd.conf +/etc/lighttpd.conf is this change only necessary if used with php? Because as I understand this patch is conditional in lighttpd-1.3.10.ebuild: use php && epatch ${FILESDIR}/${P}-php.diff Perhaps the "lighttpd.1 diff" should be moved to ${FILESDIR}/${P}-gentoo.diff the lighttpd author also recommends using the following patches: http://wiki.lighttpd.net/7.html#A14 Ok, there's a few things I need to fix but do not hinder the status of this bug: - I forgot that the licensing has changed to BSD - Yes, the default lighttpd.conf should contain the new change to lighttpd user/group - Yes, the man page should be patched regardless of USE=php ; this is a bug I should've caught when porting the php patch to 1.3.10, so my mistake. I'll release a -r1 asap, but like I said these are minor and have no affect on this bug. 1.3.10-r1 is in cvs. Drafted GLSA 200502-21 |